At my work, I am behind a NTLM proxy. No problem with IE, Firefox etc. as they support the NTLM authentication mechanism. But, when using ‘open source’ tools, supporting only basic proxy authentication, like Ruby’s GEM, I was not able to connect to the internet. After some research, I found the solution: Use the open source Squid as a Windows service running a local proxy, and let Squid connect to our company’s NTLM proxy server.
Installing and configuring Squid
Download Squid 2.7 STABLE 6
Extract the archive to C:\Squid (so you’ve got C:\Squid\bin etc. after extracting)
In C:\Squid\etc rename the *.conf.default to *.conf.
Create a directory C:\Squid\var\cache
Edit C:\Squid\etc\squid.conf and replace the contents with this:
#==============================================================================
# SQUID CONFIGURATION FILE FOR TRANSPARENT NTLM PROXY
#==============================================================================
# With this Squid configuration file, you can let any 'basic proxy'-supporting
# application access the internet when you're behind a NTLM authenticating
# proxy server, since this authentication mechanism is not supported by many
# open source tools (think Ruby's GEM, wget, etc.)
#Here the connection to the 'parent' NTLM proxy is specified
#Replace 11.12.13.14 with the IP address of your NTLM proxy
#Replace 8080 with the port of your NTLM proxy
#Optionally, use 'ping proxy' to get the IP address of your proxy server
#Replace login= with your NTLM username and password. Remember to use %20 where a space would be used!
cache_peer 11.12.13.14 parent 8080 0 no-query proxy-only login=user%20name:password
#The port this basic proxy will run on (3128)
http_port 127.0.0.1:3128
#Generic settings for Squid, not touched for the most part
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
icp_access allow localnet
icp_access deny all
hierarchy_stoplist cgi-bin ?
cache_dir ufs c:/squid/var/cache 100 16 256
access_log c:/squid/var/logs/access.log squid
cache_log c:/squid/var/logs/cache.log
cache_store_log none
mime_table c:/squid/etc/mime.conf
pid_filename c:/squid/var/logs/squid.pid
unlinkd_program c:/squid/libexec/unlinkd.exe
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
via off
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
icp_port 0
htcp_port 0
log_icp_queries off
never_direct allow all
forwarded_for off
client_db off
coredump_dir c:/squid/var/cache
#Restrict who can access the proxy here!
#(Probably better to replace line below with http_access allow localhost
http_access allow all
icp_access allow localnet
icp_access deny all
#Make yourself anonymous with these calls
header_access From deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Warning deny all
header_access Via deny all
header_access User-Agent deny all
header_access Proxy-Connection deny all
header_access X-Forwarded-For deny all
httpd_suppress_version_string on
Open a command prompt
CD to “C:\Squid\sbin”
run “squid.exe -z” to create the needed cache directories and swap files
run “squid.exe -i” to install squid as a system service
run “services.msc” to start the Services Control Panel
Find the “Squid” service and start it (or just type “net start squid”)
Accessing the internet via Squid
In your browser, select “localhost” and port “3128″ to connect to the internet via your new squid proxy
If no connection can be established, check “C:\Squid\var\logs\cache.log” to check what possibly went wrong. Fix the parameters in the squid.conf file and restart the service until it works.
For Ruby GEM, for example, add a environment variable “HTTP_PROXY” with value “http://localhost:3128″ (or just use the SET command to test it temporarily)
Encrypting your traffic
Download JAP
Posted by rheenen 
